How to debug in MacOS environment ?
Hi,
Have a communication problem with some MacOS clients: they don't appear in PMS.
What I did is to check :
1- /usr/local/f-secure/fsmac/sysconfig/pm_address
2- /usr/local/f-secure/fsmac/sysconfig/pm_fingerprint
3- the PMS certificate in the system's keychains and trust it
I'd like to know if there is a guide line to follow about debugging to solve this problem.
Thank you !
Best Answer
-
Hi,
Firstly, can the MacOS host reach the Policy Manager via http browser ?
There are several reasons why F-Secure Client Security for Mac host is unable to connect to the Policy Manager Server after the installation as below:
- The Policy Manager Address and ports were misconfigured during the exporting process
- The .mpkg filename was modified after exporting the installer from the Policy Manager Console
- Certificate issue
Before you start troubleshooting, make sure that you have tried the installation with the latest Client Security for Mac installer. You can find the latest installers on the Downloads page.
1. Make sure that you have used the correct Policy Manager Address when exporting the .mpkg installer.
2. Make sure that you have not modified the .mpkg filename:
When you export the .mpkg installation package from the Policy Manager Server, the Policy Manager address and activation key is embedded in the filename. If the filename is modified, the client is unable to read the correct Policy Manager address and activation key during installation.
Check these files, if they exist and license is active to determine that the product is installed correctly.
- /usr/local/f-secure/fsmac/sysconfig/pm_fingerprint
- /usr/local/f-secure/fsmac/sysconfig/pm_address
3. Check for any certificate issue by using Safari browser to open the Policy Manager Server welcome page.
. If there is a certificate issue, you could perform the following steps in order to solve it.
1. Run this command on Policy Manager Server to export CA certificate
In case of Windows:
"c:\Program Files (x86)\F-Secure\Management Server 5\jre\bin\keytool.exe" -keystore "c:\Program Files (x86)\F-Secure\Management Server 5\data\fspms-ca.jks" -alias fspm-ca -exportcert -file fspms-ca.cer -rfc -protected
In case of Linux:
/opt/f-secure/fspms/jre/bin/keytool -keystore /var/opt/f-secure/fspms/data/fspms-ca.jks -alias fspm-ca -exportcert -file fspms-ca.cer -rfc -protected
2. Transfer the exported certificate of "fspms-ca.cer" to the Big Sur clients
3. Run the following command to trust it on the system level (you will be prompted to enter a password for admin credentials)
sudo security add-trusted-cert -d -r trustRoot -p ssl -k "/Library/Keychains/System.keychain" "path/to/certificate/file/fspms-ca.cer"
Note: You can also use MDM solutions to deploy the CA certificate to all Mac hosts within the company.
For more detailed information, you could refer to the following community article.
In case of existing client installation with the connectivity status update issue, you could consider to increase the maximum uploaded package size (maxUploadedPackageSize) to 10 MB as recommended in the community article below and check if there is any improvement after that.
You may refer to the following article for more details on how to configure the "maxUploadedPackageSize" setting in Policy Manager server.
1
Answers
-
I forgot to add the syslog.
This is what I found:
/usr/local/bin/fsav[18212]: Subscription check: Failed to initialize connection to AUA: FSAUA_NOT_AVAILABLE
/usr/local/bin/fsav[18212]: Subscription check: Failed to get value of channel variable VUser: FSAUA_NOT_INITIALIZE
/com.f-secure.SECL-SECL[18212]: Subscription check: Failed to get value of channel variable User: FSAUA_NOT_INITIALIZED
com.f-secure.SECL-SECL[18212]: Subscription check: Failed to initialize connection to AUA: FSAUA_NOT_AVAILABLE
0 -
Hi,
A big thank you for your detailed answer that will be really useful for debug.
Just some question about the certificate: if I use a F-Secure Manager Proxy with a company-trusted certificate, do I need to export both certificates (fspms and fspmp) on Macbook's client and validate them with both root and client account ? Or do I only have to export a new .mpkg with the fspmp information (which should embedded the company-trusted certificate) ?
Thank you!
0 -
Hi @SecurMander
You should export the CA certificate from FSPMS and transfer it to the Mac client to be trusted.
Thanks
Sethu
1 -
Thanks for this guide
0
Categories
- All Categories
- 4.6K WithSecure Community
- 3.6K Products
- 1 Get Support